I’m currently performing a security assessment for the SonarQube Docker image in a DOD tangential field, and am using a tool called Trivy (Trivy Open Source Vulnerability Scanner | Aqua) to perform this task. Upon scanning the latest Docker image available (as of writing, 9.8.0), several high/critical level vulnerabilities appear. I’ve attached the resulting .json report for reference.
report.json (86.8 KB)
While some of these I can mitigate by creating a custom Dockerfile that uses Sonarqube as a base image while replacing the .jar’s outright (things like
opt/sonarqube/elasticsearch/modules/transport-netty4/netty-codec-4.1.66.Final.jar), there are several built in to Sonar built .jar files that I am unable to modify, namely
I understand that a static analysis tool pointing out a potential vulnerability does not always lead to something actually exploitable, however in my position I’m unable to accept any high/critical vulnerabilities in these assessments outright regardless of context. Will these Java dependencies be updated in an upcoming release? If so, what is the target version?
Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- SonarQube Docker Image, 9.8.0-community
- what are you trying to achieve
- A Trivy scan free of high/critical level vulnerabilities
- what have you tried so far to achieve this
- Attempted to create a custom Dockerfile that will swap out standalone jars and replace them with the updated non-vulnerable versions, but enough vulnerabilities are baked into the sonar-scanner-engine and sonar-application jars that completely mitigating all of them is not possible.